PCI Requirement 7.2.2 – Assignment of Privileges Based on Job Function

by Randy Bartels / November 28th, 2017

What is PCI Requirement 7.2.2?

We’ve discussed least privileges and business need to know a lot during PCI Requirement 7, and PCI Requirement 7.2.2 is no different. PCI Requirement 7.2.2 requires that your organization’s access control systems assign privileges based on job classification and function. If a job doesn’t require certain access to function, there’s no need to grant that access.

Access control systems help protect your organization from unknowingly granting access to the cardholder data environment to an unauthorized user. Access control systems and implementing PCI Requirement 7.2.2 help your organization automate the process of restricting access and assigning privileges based on job function and function.

During a PCI assessment, your system settings and relevant documentation will be examined to verify that your access control systems are configured to enforce privileges assigned to individuals based on job classification and function.

PCI Requirement 7.2.2 is about assigning these privileges that we’ve been talking about for role based access controls. Later on in the assessment, in Requirement 8, assessors are going to be getting copies of these user request forms and artifacts, either electronic or physical, and then testing the systems and making sure that whatever permissions you’ve assigned to these individuals is actually what’s been assigned. Requirement 7 is about role based access controls and making sure that only the necessary privileges have been assigned. Requirement 8 is then going to be about authentication. Specific to this particular requirement, PCI Requirement 7.2.2, we want to make sure that only the necessary privileges have been assigned and that those systems are capable of supporting those privileges that you’ve defined within your organization.